Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib
Dave Thaler <dthaler@microsoft.com> Thu, 30 May 2013 19:44 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08C9921F907E for <behave@ietfa.amsl.com>; Thu, 30 May 2013 12:44:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.217
X-Spam-Level:
X-Spam-Status: No, score=-98.217 tagged_above=-999 required=5 tests=[AWL=-0.750, BAYES_00=-2.599, SARE_RAND_6=2, UNRESOLVED_TEMPLATE=3.132, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hNo6tGtXa2YB for <behave@ietfa.amsl.com>; Thu, 30 May 2013 12:44:16 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0241.outbound.protection.outlook.com [207.46.163.241]) by ietfa.amsl.com (Postfix) with ESMTP id A964A21F8FA3 for <behave@ietf.org>; Thu, 30 May 2013 12:44:16 -0700 (PDT)
Received: from BY2FFO11FD017.protection.gbl (10.1.15.202) by BY2FFO11HUB007.protection.gbl (10.1.14.165) with Microsoft SMTP Server (TLS) id 15.0.707.0; Thu, 30 May 2013 19:40:57 +0000
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD017.mail.protection.outlook.com (10.1.14.105) with Microsoft SMTP Server (TLS) id 15.0.698.0 via Frontend Transport; Thu, 30 May 2013 19:40:57 +0000
Received: from CO9EHSOBE025.bigfish.com (157.54.51.114) by mail.microsoft.com (157.54.86.9) with Microsoft SMTP Server (TLS) id 14.3.136.1; Thu, 30 May 2013 19:40:48 +0000
Received: from mail186-co9-R.bigfish.com (10.236.132.252) by CO9EHSOBE025.bigfish.com (10.236.130.88) with Microsoft SMTP Server id 14.1.225.23; Thu, 30 May 2013 19:39:02 +0000
Received: from mail186-co9 (localhost [127.0.0.1]) by mail186-co9-R.bigfish.com (Postfix) with ESMTP id 979A11000D7 for <behave@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 30 May 2013 19:39:02 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT004.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -27
X-BigFish: PS-27(zz9371Ic89bh936eI119bId772h542I1432I179dNzz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz1033IL17326ah8275dhz31h2a8h668h839h947hd24hf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh17ej9a9j1155h)
Received-SPF: softfail (mail186-co9: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=dthaler@microsoft.com; helo=BL2PRD0310HT004.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BN1PR03MB266; H:BN1PR03MB267.namprd03.prod.outlook.com; LANG:en;
Received: from mail186-co9 (localhost.localdomain [127.0.0.1]) by mail186-co9 (MessageSwitch) id 1369942741527159_13650; Thu, 30 May 2013 19:39:01 +0000 (UTC)
Received: from CO9EHSMHS014.bigfish.com (unknown [10.236.132.239]) by mail186-co9.bigfish.com (Postfix) with ESMTP id 7E40384004D; Thu, 30 May 2013 19:39:01 +0000 (UTC)
Received: from BL2PRD0310HT004.namprd03.prod.outlook.com (157.56.240.21) by CO9EHSMHS014.bigfish.com (10.236.130.24) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 30 May 2013 19:39:01 +0000
Received: from BN1PR03MB266.namprd03.prod.outlook.com (10.255.200.15) by BL2PRD0310HT004.namprd03.prod.outlook.com (10.255.97.39) with Microsoft SMTP Server (TLS) id 14.16.311.1; Thu, 30 May 2013 19:38:58 +0000
Received: from BN1PR03MB267.namprd03.prod.outlook.com (10.255.200.17) by BN1PR03MB266.namprd03.prod.outlook.com (10.255.200.15) with Microsoft SMTP Server (TLS) id 15.0.698.13; Thu, 30 May 2013 19:38:58 +0000
Received: from BN1PR03MB267.namprd03.prod.outlook.com ([169.254.15.233]) by BN1PR03MB267.namprd03.prod.outlook.com ([169.254.15.233]) with mapi id 15.00.0698.010; Thu, 30 May 2013 19:38:57 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Simon Perreault <simon.perreault@viagenie.ca>
Thread-Topic: WGLC on draft-ietf-behave-nat-mib
Thread-Index: Ac5csUf0maP8QPpzSZGehDhIcO1HfwAAQW1QABobqYAAFHfJEA==
Date: Thu, 30 May 2013 19:38:57 +0000
Message-ID: <2d6b12df967d4faf8fcfd6d6891b2ca2@BN1PR03MB267.namprd03.prod.outlook.com>
References: <7bc37af6cf764c2e965778b6b265a2d4@BY2PR03MB269.namprd03.prod.outlook.com> <ba99d2de63904656992c45255161910a@BY2PR03MB269.namprd03.prod.outlook.com> <51A72041.6060208@viagenie.ca>
In-Reply-To: <51A72041.6060208@viagenie.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:1a:3:24d6:67ae:ed1b:a4be]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BN1PR03MB266.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%TOOLS.IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%VIAGENIE.CA$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC103.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(189002)(13464003)(377424003)(45074003)(199002)(377454002)(51704005)(60454003)(76576001)(44976003)(56776001)(33646001)(16676001)(20776003)(23756003)(63696002)(6806003)(4396001)(74366001)(47776003)(47976001)(74316001)(76482001)(81542001)(15202345002)(77982001)(54316002)(59766001)(49866001)(79102001)(47736001)(551544002)(81342001)(50986001)(56816002)(76796001)(50466002)(47446002)(74706001)(31966008)(74502001)(74662001)(46102001)(53806001)(69226001)(74876001)(80022001)(54356001)(65816001)(76786001)(51856001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB007; H:TK5EX14HUBC103.redmond.corp.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 08626BE3A5
Cc: "behave@ietf.org" <behave@ietf.org>, "draft-ietf-behave-nat-mib@tools.ietf.org" <draft-ietf-behave-nat-mib@tools.ietf.org>
Subject: Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 19:44:22 -0000
> -----Original Message----- > From: Simon Perreault [mailto:simon.perreault@viagenie.ca] > Sent: Thursday, May 30, 2013 2:48 AM > To: Dave Thaler > Cc: draft-ietf-behave-nat-mib@tools.ietf.org; behave@ietf.org > Subject: Re: WGLC on draft-ietf-behave-nat-mib > > Le 2013-05-29 23:42, Dave Thaler a écrit : > > Some initial items noticed by document shepherd (me): > > > > 1) Section 5 of the current draft has > > " Some of the readable objects in this MIB module (i.e., objects with a > > MAX-ACCESS other than not-accessible) may be considered sensitive or > > vulnerable in some network environments. It is thus important to > > control even GET and/or NOTIFY access to these objects and possibly > > to even encrypt the values of these objects when sending them over > > the network via SNMP." > > > > Per http://trac.tools.ietf.org/area/ops/trac/wiki/mib-security > > that's supposed to be followed with > > " These are the tables and objects and their > > sensitivity/vulnerability: > > > > <list the tables and objects and state why they are sensitive>" > > > > Also the document has 2 paragraphs of text "There are a number of > > managed objects in this MIB that may contain ... > > versions of SNMP provide features for such a secure environment." > > which do not appear in the current MIB boilerplate at the link above. > > Should those 2 paragraphs be removed? > > How about this as a replacement? > > Some of the readable objects in this MIB module (i.e., objects with a > MAX-ACCESS other than not-accessible) may be considered sensitive or > vulnerable in some network environments. It is thus important to > control even GET and/or NOTIFY access to these objects and possibly > to even encrypt the values of these objects when sending them over > the network via SNMP. These are the tables and objects and their > sensitivity/vulnerability: > > Objects that reveal host identities: Various objects can reveal the > identity of private hosts that are engaged in a session with > external end nodes. A curious outsider could monitor these to > assess the number of private hosts being supported by the NAT > device. Further, a disgruntled former employee of an enterprise > could use the information to break into specific private hosts by > intercepting the existing sessions or originating new sessions > into the host. > > * natMapIntAddrType > > * natMapIntAddrInt > > * natMapIntAddrExt > > * natMappingIntRealm > > * natMappingIntAddressType > > * natMappingIntAddress > > * natMappingIntPort > > * natMappingMapBehavior > > * natMappingFilterBehavior > > * natMappingAddressPooling > > * natSubscriberIntPrefixType > > * natSubscriberIntPrefix > > * natSubscriberIntPrefixLength > > Other objects that reveal NAT state: Other managed objects in this > MIB may contain information that may be sensitive from a business > perspective, in that they may represent NAT state information. > > * natCntAddressMappings > > * natCntProtocolMappings > > * natPoolUsage > > * natPoolRangeAllocatedPorts > > * natSubscriberCntMappings > > There are no objects that are sensitive in their own right, such as > passwords or monetary amounts. Fine. > > 2) Section 5 contains MUST, SHOULD, etc. But the document is missing > > the boilerplate reference to RFC 2119. > > *gasp* > > Added. Ok. > > 3) Section 6 does not say whether any additional actions for IANA are > > needed. Suggest adding "No IANA actions are required by this document." > > Added. Ok. > > 4) The MIB compiler I used complained about this: > >> natMappingPool OBJECT-TYPE > >> SYNTAX NatPoolId (0|1..4294967295) > > Because of > >> NatPoolId ::= TEXTUAL-CONVENTION > >> SYNTAX Unsigned32 (1..4294967295) > > > > That is, NatPoolId does not allow 0, and so natMappingPool cannot add > > it and still use the NatPoolId syntax. > > Hmmmm... Would it be OK if I changed natMappingPool to an Unsigned32? > > natMappingPool OBJECT-TYPE > SYNTAX Unsigned32 (0|1..4294967295) Yes, but you should remove the range restriction since that's the full range. So just SYNTAX Unsigned32 > Updated draft is attached. I see you added in the security considerations section: > Note: This section only applies to objects with current status. > For deprecated objects, please refer to the Security > Considerations section from [RFC4008]. However that doesn't make sense in my opinion unless we make RFC4008 a Normative (not informative) reference. But I would prefer keeping it as an informative reference so it can be obsoleted. So I disagree with the quoted limitation. -Dave
- [BEHAVE] WGLC on draft-ietf-behave-nat-mib Dave Thaler
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib Dave Thaler
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib Simon Perreault
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib Dave Thaler
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib Simon Perreault
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib ietfdbh
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib Simon Perreault
- Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib Juergen Schoenwaelder